#10: No or Outdated Security Policy The reasons for this are many, including:

We don't know how to start.

We want to get it right, so we delay.

We don't have the resources (staff, money, time) to get to it.

Things are moving too fast.

Examples are also manifold, including:

Mainframe policy in an internetworked world. Or similar (more up-to-date-now), the policy was created 5 years ago when we were a 30 person company and before all of those mergers.

Doesn't take into account remote or teleworkers.

Doesn't cover all user types. That is to say it treats all users (Sales, Sales reps (not employees), Contract workers, Business partners) the same.

#9. Lack of Senior Management Understanding/Buy-in They don't understand the expense, the costs, the liabilities, or the risks. They equate security with the last large expense the company made, the "Security=Firewall" phenomenon.

This is from a posting on the firewall-wizards mailing list:

Is there anybody out there that can help me get some configurations right on our new Gauntlet firewall? I have never configured a firewall before and have not had training and this is very important to our company so I am feeling the pressure here. Any help would be apprecaited.

To which I replied:

"Can anyone out there help me learn to drive an 18 wheeler? I was hired to do this and I have a truck supplied by my company. I have a driver's license for an automobile, but I've never driven a big rig before, nor have I had any training in one. It is very important to my company that I get this right and I have to start a cross-country run on Wednesday. Any help you other drivers can offer in your spare time as you pass through will be greatly appreciated.

#8 and #7 No Audit Logs or Unread Audit LogsThis is neglected because enterprises don't know what to do with them or how to handle them. (Okay, maybe this has gotten better. You think?)

#6. Leaving the Door Propped Open Enterprises are still creating one-time changes to their security posture that end up being permanent, because they are forgotten. "I just need to do this one thing." "Open this up now, and I will call you when I am done." "We have this customer demo."

#5. ExceptionsThey might be needed, but are they? The more exceptions, the lower the security posture of the enterprise. And this is linked to #6.

#4. The Big Boss Problem Every organization has someone high enough in the organization to be able to make a decision that put the enterprise at risk, but lacking the knowledge or information to make it an educated decision.

#3. Network Service Requests Before Establishing Business Requirements I mean think about these services that are allowed with no real business need:

Streaming media from the Internet

Instant Messenger

SkypeTM

Access to my Hotmail, et al. accounts

#2. Allowing Network Services Without Assessing Security This is almost meaningless nowadays as nearly everything works through today's porous "firewalls." Do we allow SSL through our firewalls? SSH? Can our people use NetMeeting? Of course. Have we weighed the risk? Often, of course not.